Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1293
Views
0
Helpful
5
Replies

Apple 802.1x profile for NAC

Go to solution
ptomaras
Cisco Employee
Cisco Employee

‎06-06-2017 08:18 AM

My customer was provided a profile which they've not had a good experience with.  I assume we've done this within Cisco and would love if we can have somebody from Cisco IT provide guidance to my customer on this.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to ptomaras

‎06-15-2017 07:27 AM

From an SME, please do reach out to Apple.


It seems to me that profile is not configured properly… but I could be wrong (haven’t played around it for long time).

  1. 802.1x Ethernet Payload

The 802.1x Ethernet payload is designated by specifying one of the following as the PayloadType value:

  • com.apple.firstactiveethernet.managed [default]
  • com.apple.firstethernet.managed
  • com.apple.secondactiveethernet.managed
  • com.apple.secondethernet.managed
  • com.apple.thirdactiveethernet.managed
  • com.apple.thirdethernet.managed

Payloads with “active” in their name apply to Ethernet interfaces that are working at the time of profile installation. If there is no active Ethernet interface working, the com.apple.firstactiveethernet.managed payload will configure the interface with the highest service order priority.

Payloads without “active” in the name apply to Ethernet interfaces according to service order regardless of whether the interface is working or not.

There is currently no support for a BSD level specifier.

To specify an enterprise profile for a given 802.1x network, include the EAPClientConfiguration key in the payload, as described in EAPClientConfiguration Dictionary.

https://developer.apple.com/library/content/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html#//apple_ref/doc/uid/TP40010206-CH1-SW31

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎06-06-2017 08:28 AM

Sorry can you explain more what you're looking for? 802.1x profile for MAC logging in?

0 Helpful

Go to solution
ptomaras
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎06-14-2017 12:32 PM

Thanks for reaching out Jason.  I completely missed your response.  Im far from a security expert but this is the issue the customer is having with the current profile they are using:

“Wade has created a Mac profile in the form of a transferable file. So it is something that we can send out to our Mac users. When a Mac with this profile connects to our Ethernet switch it fails to conduct an 802.1x authentication until the user goes into their network configuration app and presses the “Connect” button. This will be deemed an unacceptable user experience. We need this process to be automatic for the user when connecting to Ethernet and Wireless. Cisco must have run into this issue before.”

Wade is our AS security SME.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to ptomaras

‎06-15-2017 07:12 AM

This is not something that ISE has control over as you know. I did a quick search on apple's forums to see what information that had but couldn't find anything. I will also forward to a few SME to see what they think. Have you tried reaching out to apple as well?

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to ptomaras

‎06-15-2017 07:27 AM

From an SME, please do reach out to Apple.


It seems to me that profile is not configured properly… but I could be wrong (haven’t played around it for long time).

  1. 802.1x Ethernet Payload

The 802.1x Ethernet payload is designated by specifying one of the following as the PayloadType value:

  • com.apple.firstactiveethernet.managed [default]
  • com.apple.firstethernet.managed
  • com.apple.secondactiveethernet.managed
  • com.apple.secondethernet.managed
  • com.apple.thirdactiveethernet.managed
  • com.apple.thirdethernet.managed

Payloads with “active” in their name apply to Ethernet interfaces that are working at the time of profile installation. If there is no active Ethernet interface working, the com.apple.firstactiveethernet.managed payload will configure the interface with the highest service order priority.

Payloads without “active” in the name apply to Ethernet interfaces according to service order regardless of whether the interface is working or not.

There is currently no support for a BSD level specifier.

To specify an enterprise profile for a given 802.1x network, include the EAPClientConfiguration key in the payload, as described in EAPClientConfiguration Dictionary.

https://developer.apple.com/library/content/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html#//apple_ref/doc/uid/TP40010206-CH1-SW31

0 Helpful

Go to solution
ptomaras
Cisco Employee
Cisco Employee

‎06-15-2017 09:43 AM

Awesome, thanks Jason!

0 Helpful
Customers Also Viewed These Support Documents